My colleague, Ray Shaw, has pointed out some of the many problems of the Australian Government’s new electronic snooping legislation, the Assistance and Access Bill. But there are a couple of likely results that few (if any) have noticed.
It seems that the Assistance and Access Bill is, as I write, still before the House of Representatives, so we may yet be spared this amateurish farce. Maybe. But if it comes, what are the implications?
The Assistance and Access Bill
Reports suggest that the Assistance and Access Bill will empower the government to require computer and software vendors to have some way of finding out the content of encrypted communications. There are two ways – in theory – that this content could be found out:
- The encryption could be broken.
- Some kind of backdoor could be added to the encryption system so that the encryption doesn’t need to be broken.
Virtually all encryption systems these days use public key encryption. I started to write an explanation of how this works, often involving the difficulty of determining the prime factors of large numbers, but that stuff isn’t needed to see the problem.
The problem for the security services is that the communications of potential malefactors are unbreakably secure. As powerful computers become more powerful, and the ability to brute-force a way in increases, the encryption system can be very easily enhanced to defeat the attack. Add one digital bit to the length of the numbers involved, and you more than double the complexity. Add another bit, and the time taken to break the encryption more than doubles again.
In short, public key encryption systems are invincibly secure. The government can issue all the warrants it wants. It might even be able to force a tech company to assign a team to the task. But the team will not be able to achieve anything, no matter how hard they try. Not every problem in the world has a solution.
Yet governments try, accidentally crushing liberties along the way. In this case, through the Assistance and Access Bill.
Here we get to what the government foolishly thinks is the real solution. That is, it apparently believes that it can require communications software companies to build some kind of backdoor of vulnerability into their software.
Let’s use, say, WhatsApp as our example. WhatsApp promised totally secure communications using end-to-end encryption. If we believe its claims, and no-one has ever seriously disputed them, your WhatsApp message to me may be intercepted by someone along the way, but it can never be read by them.
It seems that what the Australian government wants is for WhatsApp, and all the others, to build in some kind of backdoor to its encryption system. Say, a special duplicate key that can also unlock the contents, should it be served with a warrant.
Now most of the commentary I see about this worries, strangely, about how that might make the system less secure to other, nefarious third parties. Well, sorry, no it wouldn’t. Assuming, that is, WhatsApp could maintain security of the backdoor key, your communications would remain as secure as ever. At least until the government felt suspicious enough about you to get a warrant to break into your communications.
What will happen?
The problem is something completely different.
Let’s say that you are WhatsApp. Let’s say that the government does pass the Assistance and Access Bill. So, the Australian government comes to you next year some time and says: “We insist that you build a backdoor into your app so that when we get a warrant, we can read bad people’s WhatApp messages.”
What do you do?
Well, you could comply. But your entire business depends on everyone believing that WhatsApp messages are utterly secure. So, could you comply but kind of keep the backdoor secret?
Well, no, you couldn’t. There is such a thing as consumer law. The new Australian legislation seems to have stuff in it which protects you from Australian consumer law in these circumstances. But it won’t protect you from US law. You know, the law of the country where your headquarters is located. The law of the country which has 300+ million potential customers, rather than Australia’s 25-ish million. So, you’d have to declare that your software is no longer invincibly secure, but subject to warrants from the Australian authorities.
Naturally you’d have a public relations nightmare. How many journalists, or even computer technical writers, understand public key encryption? How many understand nondeterministic polynomial time complexity? (That’s so-called NP complexity.) How many even know what integer factorisation is?
No, the message would be simple: WhatsApp was once utterly secure. And now it isn’t any more.
So, you’re WhatsApp. What do you do?
You say to the Australian Government: “Sorry, that would destroy our business. We will henceforth withdraw from your market.”. Australians would find that their WhatsApp apps would no longer work. WhatsApp would be geoblocked in Australia in the App and Play Stores.
If you used a VPN to get around the geoblocking, WhatsApp wouldn’t mind. It would only be interested in its executives not being sent to jail, should they happen to go to Surfer’s Paradise for a holiday.
The terrorists? If they get worried about WhatsApp, they’ll use something else (that is equally not within Australian jurisdiction).
So, to the extent that this legislation requires backdoors to otherwise secure communications systems, it will achieve nothing. Except making it harder for law abiding Australians to enjoy secure communications. And VPNs. Remember, the good VPNs use similar encryption technologies. So, they also will have to retire from the Australian market, at least officially.
But there will always be ways. There always are. Australians who want secure communications will find some way of getting WhatsApp or a VPN or something.
The next step then? Criminalisation of acquisition or use by Australians of a communications channel which cannot be spied upon by the Australian authorities? Why not stop this silliness right now, before the passage of the Assistance and Access Bill.